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This talk in 5 minutes (1) 

"How it started?" 



TC7, Johnny Cache: different 802.1 1 clients responded 
differently to change of BSSID in Auth & Assoc Resp. 
- Wow, TCP/IP stack fun all over again! ("You are in 
a maze of twisty implementations, all slightly different"). 




This talk in 5 minutes (2) 

"What is this about?" 

AP vs clients: is it " Can the castle fight off barbarians?" 
More like: "Can the peasants 
find the right castle? " 

Famous attacks on clients 
fake the castle (i.e.. the AP): 



Shmoo: "802.1 1 bait: badass tackle ..." (TC7, '05) 
Dai Zovi, Macaulay: KARMA (CanSecWest '05) 
Simple Nomad: "Hacking the friendly skies" 
Cache & Maynor: "Hijacking a MacBook in 60 sec" 
The Month of Kernel Bugs (Nov 2006), ... 




This talk in 5 minutes (3) 

"What's in a fingerprint?" 



• With enough resources and observations, you can 
fingerprint almost anything 

- Timings, Electric or RF signal, Fourier analysis, ... 

• When cheap and straightforward, it's fun 

- ... like different code logic {Nmap & friends) 

• Lots of protocol states & fields => lots of differences 

- ... and some combinations are gibberish 

- 802.1 1 has lots of these even in L2 headers: (e.g., 
mismatched type and flags in Frame Control) 

So test how your AP reacts to gibberish, at a glance. 
If the picture is different, it's likely NOT your AP. 



This talk in 5 minutes (4) 

"AP responses at a glance" 



Linksys WRT54g: 
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Madwifi-ng soft AP: 







Prism II HostAP soft AP: 
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Auth Requests with 

non-sensical 
combinations of flags 
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BAFFLE 



Written in Ruby 1 .9 

Uses Ruby LORCON from Metasploit 

- forever indebted to the authors! 

Builds pcap/BPF filters for 802.1 1 frames 
from Ruby objects 

A special language for describing tests, 
stimuli and training 
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Where we fit in" 



Passive 



"Usual and Customary" "Cruel and Unusual" 



Packets/Frames 



Packets/Frames 



L4/L3 



POf 



SinFP 



Xprobe 



Nmap 



L2 



J.Cache U5 
duration field 

Franklin et al. 
probe timings 



BAFFLE 



Fuzzers 



Some history 



L3 TCP/IP stack fingerprints 

- Classics 

- New developments 

Countermeasures 

L2 802.11 fingerprinting 



The Noble Art of L3 Fingerprinting: 

"part of a complete TCP/IP VA kit" 



Nmap (1998, 2006--) 
- 2 nd gen. OS fingerprinting: http://nmap.org/osdetect/ 

Xprobe (2001 , 2002—2005) 

• "fuzzy logic" 

POf, the passive fingerprinter (2000, 2006) 

• preceded by "Siphon", adopted by Ettercap, many others 

SinFP (2005) 

• attempts single-port, 3-packet OS fingerprinting 



The Noble Art of L3 Fingerprinting 

-Countermeasures- 



Smart, Malan, Jahanian (USENIX, 2000) 

- "Defeating TCP/IP OS stack fingerprinting" 

- scrubbers suppress "cruel and unusual" packets 
breaking known signatures 

Kathy Wang(DC-12, 2004) 

- "Frustrating OS fingerprinting with Morph" 

- don't just mess up signatures, emulate them 

Niels Provos (USENIX, 2004) 

- "A virtual honeypot framework", Honeyd 

- ... emulate them for entire honeynets 



The Noble Art of L3 Fingerprinting 

-Timing-related- 

• Tony Capela (DC-1 1 , 2003): Ping RTT 

- " Fashionably late - what your network's RTT tells..." 

• Kohno, Broido, Claffy (2005): Clock skew 

- "Remote Physical Device Fingerprinting" paper 

» Dan Kaminsky (2005): IP timers 

- Fragment reassembly timeouts differs between stacks 

• ... many others 



Timeline 



1998: Nmap gets OS fingerprinting 

- 2000: "Scrubbers" suggested to remove anomalies 

- 2001 : Norm (Handley et al.) normalized TCP at 

100,000 pkts/sec (against IDS evasion) 

2001 : Xprobe fingerprints less-used but 
"normal" ICMP, etc. 

- 2004: Honeyd fakes responses of different OSes 

[see nmap.prints, xprobe2.conf]; Morph 

2003, 2005: Timing-related fingerprinting 
_ ? 



802.1 1 : a whole new L2 



Johnny Cache (Toorcon, 2005) 

- "802. 1 1 VLANs and Association Redirection" 

- different client responses to BSSID change in Auth Response 
and Assoc Response frames from AP 

Johnny Cache (Uninformed 5, 2006) 

- "Fingerprinting 802. 1 1 implementations via statistical analysis 
of the duration field" 

- Passive. "Client associates, gets an IP, loads a few webpages" 

Franklin et al. (USENIX Sec, 2006) 

- "Passive link layer 802. 1 1 wireless device driver fingerprinting 

- Client scanning behavior, time intervals between probes 
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State machines and "extra bits" 

TCP 



16-bit 



Source Port 



32-bit 



Destination Port 



Sequence Number 



lent Number (ACK) 



active open: 

init state 

sendSYN 



TCP State Diagram 




close: 



passive open 
i nit state 



clear state 
mvSYN: 



send SYN.ACK 



listen 



recvRN: 
send ACK 



close wait 



Some fields are meaningless 
in at least some of the states. 

Nmap says hello. 



CLOSE: 
send FIN 



lastack 



rev ACK recvACKofFIN 

timeout 



send ACK 



closed 



CS19G-S Networtlng 



V-13 



QiPiTlnhiO *BE-3iniThDmacW Dipppnpr 



802.1 1 states and fiddly bits 




Not all flags 
make sense for all 
types & subtypes. 

Not all flags 

make sense for all 

states. 

Hello BAFFLE. 
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State 2 

Authenticated 
and unaHotiated 
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State 1 

Unaui herniated 
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Can a client station trust an AP? 



Is this AP one of a trusted group, or evil faker? 



Why yes, just exchange some crypto with it, 
and verify the AP knows 
the right secrets. 
Problem solved, right? 
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Access Point 



RftD-Series 
Server 



Not exactly: are all 
these exchanges 
bug-free? 
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EAP-Recfliest 



EAP-P? espouse 



FAP-kjcccss 
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SAP-Request w RAWS 
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Your L2 is possessed by the devil 



"Hijacking a MacBook in 60 seconds" 
"The month of kernel bugs", ... 



7. Application 



6. Presentation 



5. Session 



Probe Request — Probe Response 



4. Transport 





Laptop 




rates, essid, ... 




Wireless Access Point 



l 
f 





M 



1. Physical 
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802.1 1 fiddly bits 



i — i — i — i — r 
I I I I L 







t — a — i — i — r 

J 1 I I L 



Frame 
&ody 



t — i — r 

PCS 

J_l L 



— ' t™ — 




urn 
i 


ffOffl 
l.'S 

9 


Frag 
10 


fiary 
n 


PWf 

AAgmt 

12 


Wo*? 
l! 


Prawned 
Fringe 

H 





Type/Subtype: Mgmt, Control or Data / various modes 
ToDS, FromDS: frame from or to distribution system 
- zero on management and control frames 
MoreFrag: more L2 fragments to follow 
PwrMgmt: station goes into Power Save mode (PS) 
MoreData: AP has data buffered for station in PS mode 



TO DS 



From DS 



More Ft figments 



Retry 



Power Management 



More Data 



Protected Frame 



■Order 



TTT 




i 



J M 



■ 




0) 



5T sy- 
o 



-L- £ £ < -L_ T" S C]< f l [ l [T)T)T)T] Q< f l [^T)Tn) ft 
P -n -n ~ "; "; & M= O O Q Q ' Q Q « «= O. O Q . Q $ 



+ 



DC 



2 



+ 



£^ * 



£ 



g-3 



o 



Management 



Control 



ii d. 
O O 

+ + 

a as 

O 

+ 



c ¥ = = ? + 



a 



+ + ~ ~ 



.Q 



Q 



Li li 

o 

1 + 



d. 
9 



$ ® % 

tfl lZ. 

o 

i 

i=i 



%$ 



£ 

Li 
O 



— CC 



§£s 



o 

+ 

£ 
d. 
o 



Data 



Reserved 



Legend 
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Gibberish 



1 ToDS and FromDS set on Probe & Auth Requests 

- unspecified on Mgmt and Contol frames 

■ MoreFrags on Probe Reqs and Auth Reqs 

- will the AP wait for more, ignore or respond? 

■ MoreData from station to AP (say what?) 

So: send lots of garbage frames, listed for responses 
(varying source MACs helps) 
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Wireless Access Point 



"Secret handshake with an AP" 

All you really know about an AP is its BSSID/MAC 

Don't trust your driver? 
Scared of getting too close with an AP before 
you can learn anything about it through crypto? 
(and you have to get pretty intimate to use crypto) 

Choose some weird things than your APs do 
Check if the BSSID in question does them 



Thanks! 



Johnny Cache for the many inspirations 

Joshua Wright and Mike Kershaw for LORCON 

Uninformed and Toorcon crews 

everyone else who helped us (authors of 
Ruby, Lapack, Metasploit, ...) 



